One document matched: draft-boucadair-mptcp-radius-00.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-boucadair-mptcp-radius-00"
ipr="trust200902">
<front>
<title abbrev="RADIUS for MPTCP">RADIUS Extensions for Network-Assisted
Multipath TCP (MPTCP)</title>
<author fullname="Mohamed Boucadair" initials="M." surname="Boucadair">
<organization>Orange</organization>
<address>
<postal>
<street></street>
<city>Rennes</city>
<region></region>
<code>35000</code>
<country>France</country>
</postal>
<email>mohamed.boucadair@orange.com</email>
</address>
</author>
<author fullname="Christian Jacquenet" initials="C." surname="Jacquenet">
<organization>Orange</organization>
<address>
<postal>
<street></street>
<city>Rennes</city>
<region></region>
<country>France</country>
</postal>
<email>christian.jacquenet@orange.com</email>
</address>
</author>
<date />
<abstract>
<t>One of the promising deployment scenarios for Multipath TCP (MPTCP)
is to enable a Customer Premises Equipment (CPE) that is connected to
multiple networks (e.g., DSL, LTE, WLAN) to optimize the usage of its
network attachments. Because of the lack of MPTCP support at the server
side, some service providers consider a network-assisted model that
relies upon the activation of a dedicated function called: MPTCP
Concentrator.</t>
<t>This document specifies a new Remote Authentication Dial-In User
Service (RADIUS) attribute that carries the list of IP addresses that
allow CPE devices to reach one or multiple MPTCP Concentrators.<!--
--></t>
</abstract>
<note title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</note>
</front>
<middle>
<section title="Introduction">
<t>One of the promising deployment scenarios for Multipath TCP (MPTCP,
<xref target="RFC6824"></xref>) is to enable a Customer Premises
Equipment (CPE) that is connected to multiple networks (e.g., DSL, LTE,
WLAN) to optimize the usage of such resources, see for example <xref
target="RFC4908"></xref>. This deployment scenario relies on MPTCP
proxies located on both the CPE and network sides (<xref
target="fig"></xref>). MPTCP Proxies deployed in the network play the
role of traffic concentrator.</t>
<t><figure align="center" anchor="fig"
title="“Network-Assisted” MPTCP Design">
<artwork><![CDATA[ IP Network #1
+------------+ _--------_ +------------+
| | (e.g., LTE ) | |
| CPE +======================+ |
| (MPTCP | (_ _) |Concentrator|
| Proxy) | (_______) | (MPTCP |
| | | Proxy) |------> Internet
| | | |
| | IP Network #2 | |
| | _--------_ | |
| | ( e.g., DSL ) | |
| +======================+ |
| | (_ _) | |
+-----+------+ (_______) +------------+
|
----CPE network----
|
end-nodes
]]></artwork>
</figure></t>
<t>Within this document, an MPTCP Concentrator (or concentrator) refers
to a functional element that is responsible for aggregating the traffic
originated by a group of CPEs. This element is located in the network.
One or multiple concentrators can be deployed in the network to assist
MPTCP-enabled CPEs to establish MPTCP connections via their available
network attachments. On the uplink path, the concentrator terminates the
MPTCP connections <xref target="RFC6824"></xref> received from its
customer-facing interfaces and transforms these connections into legacy
TCP connections <xref target="RFC0793"></xref> towards upstream servers.
On the downlink path, the concentrator turns the legacy server's TCP
connection into MPTCP connections towards its customer-facing
interfaces.</t>
<t>Both implicit (where a CPE has no specific knowledge of any
concentrator deployed in the network) and explicit modes are considered
to steer traffic towards an MPTCP Concentrator. This document focuses on
the explicit mode that consists in explicitly configuring a CPE with the
reachability information of a MPTCP concentrator.</t>
<t>This document specifies a new Remote Authentication Dial-In User
Service (RADIUS, <xref target="RFC2865"></xref>) attribute that carries
the MPTCP Concentrator IP address list (<xref target="att"></xref>). A
sample use case is described in <xref target="uc"></xref>. In order to
accommodate both IPv4 and IPv6 deployment contexts, the same attribute
is used to convey an IPv4 or IPv6 address. Note that one or multiple
IPv4 and/or IPv6 addresses may be returned to a requesting CPE.</t>
<t>This document assumes that the MPTCP concentrator(s) reachability
information can be stored in Authentication, Authorization, and
Accounting (AAA) servers while the CPE configuration is usually provided
by means of DHCP (<xref target="RFC2131"></xref><xref
target="RFC3315"></xref>).</t>
<t>This specification assumes an MPTCP Concentrator is reachable through
one or multiple IP addresses. As such, a list of IP addresses can be
communicated via RADIUS. Also, it assumes the various network
attachments provided to an MPTCP-enabled CPE are managed by the same
administrative entity.</t>
</section>
<section anchor="att" title="MPTCP RADIUS Attribute">
<t>The RADIUS MPTCP-Concentrator attribute contains the IP address of an
MPTCP Concentrator that is assigned to a CPE. Because multiple MPTCP
Concentrator IP addresses may be provisioned to an authorised CPE (that
is a CPE entitled to solicit the resources of a concentrator to
establish MPTCP connections), multiple instances of the
MPTCP-Concentrator attribute MAY be included; each instance of the
attribute carries a distinct IP address.</t>
<t>The format of the MPTCP-Concentrator attribute is shown in <xref
target="attribute"></xref>. The fields are transmitted from left to
right.</t>
<t><figure anchor="attribute">
<artwork><![CDATA[ 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | ip-address ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// ... ip-address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork>
</figure></t>
<t>The description of the fields is as follows:<list style="symbols">
<t>Type: TBA (see <xref target="IANA"></xref>).</t>
<t>Length: 6 or 18.</t>
<t>ip-address: This field may include an IPv4 address (32 bits) or
an IPv6 address (128 bit) of the MPTCP concentrator.</t>
</list></t>
<t>The MPTCP-Concentrator attribute MUST NOT include multicast and host
loopback addresses <xref target="RFC6890"></xref>. Anycast addresses are
allowed to be included in an MPTCP-Concentrator attribute.</t>
<t>The MPTCP-Concentrator Attribute MAY appear in a RADIUS Access-Accept
packet. It MAY also appear in a RADIUS Access-Request packet as a hint
to the RADIUS server to indicate a preference, although the server is
not required to honor such a hint.</t>
<t>The MPTCP-Concentrator Attribute MAY appear in a CoA-Request
packet.</t>
<t>The MPTCP-Concentrator Attribute MAY appear in a RADIUS
Accounting-Request packet.</t>
<t>The MPTCP-Concentrator Attribute MUST NOT appear in any other RADIUS
packet.</t>
</section>
<section anchor="uc" title="Sample Use Case">
<t>This section does not aim to provide an exhaustive list of deployment
scenarios where the use of the RADIUS MPTCP-Concentrator attribute can
be helpful. Typical deployment scenarios are described, for instance, in
<xref target="RFC6911"></xref>.</t>
<t><xref target="ex"></xref> shows an example where a CPE is assigned an
MPTCP Concentrator. This example assumes that the Network Access Server
(NAS) embeds both RADIUS client and DHCPv6 server capabilities.</t>
<t><figure align="center" anchor="ex" title="Sample Flow Example (1)">
<artwork><![CDATA[ CPE NAS AAA
DHCPv6 client DHCPv6 server server
| | |
|---------DHCPv6 Solicit---------->| |
| |----Access-Request ---->|
| | |
| |<----Access-Accept------|
| | (MPTCP-Concentrator) |
|<-------DHCPv6 Advertisement------| |
| (OPTION_V6_MPTCP) | |
| | |
|---------DHCPv6 Request---------->| |
| | |
|<---------DHCPv6 Reply------------| |
| (OPTION_V6_MPTCP) | |
DHCPv6 RADIUS]]></artwork>
</figure></t>
<t>Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends
a RADIUS Access-Request message to the AAA server. Once the AAA server
receives the request, it replies with an Access-Accept message (possibly
after having sent a RADIUS Access-Challenge message and assuming the CPE
is entitled to connect to the network) that carries a list of parameters
to be used for this session, and which include MPTCP-Concentrator
reachability information (namely a list of IP addresses).</t>
<t>The content of the MPTCP-Concentrator attribute is then used by the
NAS to complete the DHCPv6 procedure that the CPE initiated to retrieve
information about the MPTCP Concentrator it has been assigned.</t>
<t>Upon change of the MPTCP Concentrator assigned to a CPE, the RADIUS
server sends a RADIUS CoA message <xref target="RFC5176"></xref> that
carries the RADIUS MPTCP-Concentrator attribute to the NAS. Once that
message is accepted by the NAS, it replies with a RADIUS CoA ACK
message. The NAS replaces the old MPTCP Concentrator with the new
one.</t>
<t><xref target="ex2"></xref> shows another example where a CPE is
assigned an MPTCP Concentrator, but the CPE uses DHCPv6 to retrieve a
list of IP addresses of an MPTCP concentrator. </t>
<t><figure align="center" anchor="ex2" title="Sample Flow Example (2)">
<artwork><![CDATA[ CPE NAS AAA
DHCPv4 client DHCPv4 server server
| | |
|-----------DHCPDISCOVER---------->| |
| |----Access-Request ---->|
| | |
| |<----Access-Accept------|
| | (MPTCP-Concentrator) |
|<------------DHCPOFFER------------| |
| (OPTION_V4_MPTCP) | |
| | |
|------------DHCPREQUEST---------->| |
| (OPTION_V4_MPTCP) | |
| | |
|<-----------DHCPACK---------------| |
| (OPTION_V4_MPTCP) | |
DHCPv4 RADIUS]]></artwork>
</figure></t>
<t>Some deployments may rely on the mechanisms defined in <xref
target="RFC4014"></xref> or <xref target="RFC7037"></xref>, which allows
a NAS to pass attributes obtained from a RADIUS server to a DHCP
server.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>RADIUS-related security considerations are discussed in <xref
target="RFC2865"></xref>.</t>
<t>MPTCP-related security considerations are discussed in <xref
target="RFC6824"></xref> and <xref target="RFC6181"></xref>.</t>
<t>Traffic theft is a risk if an illegitimate concentrator is inserted
in the path. Indeed, inserting an illegitimate concentrator in the
forwarding path allows to intercept traffic and can therefore provide
access to sensitive data issued by or destined to a host. To mitigate
this threat, secure means to discover a concentrator should be
enabled.</t>
</section>
<section title="Table of Attributes">
<t>The following table provides a guide as what type of RADIUS packets
that may contain these attributes, and in what quantity.</t>
<t><figure>
<artwork><![CDATA[ Access- Access- Access- Challenge Accounting # Attribute
Request Accept Reject Request
0+ 0+ 0 0 0+ TBA MPTCP-Concentrator
CoA-Request CoA-ACK CoA-NACK # Attribute
0+ 0 0 TBA MPTCP-Concentrator
]]></artwork>
</figure></t>
<t>The following table defines the meaning of the above table
entries:<figure>
<artwork><![CDATA[ 0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in packet.
]]></artwork>
</figure></t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>IANA is requested to assign a new RADIUS attribute type from the IANA
registry "Radius Attribute Types" located at
http://www.iana.org/assignments/radius-types:<list style="empty">
<t>MPTCP-Concentrator (TBA)</t>
</list></t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>To be completed.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119"?>
<?rfc include='reference.RFC.6890'?>
<?rfc include='reference.RFC.2865'?>
</references>
<references title="Informative References">
<?rfc include='reference.RFC.4908'?>
<?rfc include='reference.RFC.0793'?>
<?rfc include='reference.RFC.6911'?>
<?rfc include='reference.RFC.3315'?>
<?rfc include='reference.RFC.2131'?>
<?rfc include='reference.RFC.6824'?>
<?rfc include='reference.RFC.5176'?>
<?rfc include='reference.RFC.6181'?>
<?rfc include='reference.RFC.4014'?>
<?rfc include='reference.RFC.7037'?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:59:16 |